Knowledge Management

How to pass the result of a first command to a second one?

darphboubou
Explorer

Hi

I want to put the result of this command into a second one:

 

search1.png

 

Actualy I extract the result into a csv file, and put the csv file as a lookup in an other command, like below.

(damtest2.cvs is the result of my first command)

search2.png

 

How Can I proceed to avoir to pass throught a lookup ?

 

Regards

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

please next time, copy your search in the Code Sample window so it's easier to answer copying your code.

Anyway, yes, you can put the first search as a subsearch of the second.

You have only to put attention to three points:

  • at the end of the subsearch, you have always to use  a command like table or fields to identify the fields to use as key and only those fields not others,
  • these fields must have the same name of the corrispondent on the main search, if not, use rename in the subsearch to align field names,
  • the results of the subsearch must be less than 50,000, if they are more than 50,000 you have to use another approach.

It's complicate to re write your search, anyway, you should have something like this:

<your_second_search> [ search <your_first_search> | fields Workstation_Name ]
| ...

Ciao.

Giuseppe

0 Karma

darphboubou
Explorer

Hi @gcusello ,

 

Hi don't get it but here the codes.

 

REtrieve ntlmv1 request and add the field operating system to the result
index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" 
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| eval AccountD=mvindex(Account_Domain,1)  | eval AccountN=mvindex(Account_Name,1)   | table  AccountD,AccountN,Workstation_Name,Package_Name__NTLM_only_  os  |  rename  Workstation_Name AS "Server", Package_Name__NTLM_only_ AS "NTLM Type" |  where isnotnull(os)| dedup Server | sort Server

 

and second one:

index=windows EventCode=4624   [ | inputlookup damtest2.csv | rename Server AS Workstation_Name | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os 
| table Workstation_Name os Package_Name__NTLM_only_ 
| dedup Workstation_Name Package_Name__NTLM_only_ 
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"

 

Thanks for your help 🙂

Regards

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

to execute the first search you don't need all the things you have in the lookup generation, so you should try something like this:

index=windows EventCode=4624 [ search index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os 
| table Workstation_Name os Package_Name__NTLM_only_ 
| dedup Workstation_Name Package_Name__NTLM_only_ 
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...